[netsroht]

Being logged in while making search queries in search engines poses significant privacy risks. The searches can paint a comprehensive profile of the user, and these data often remain stored for extended periods. There's a chance this information might be shared with third parties. Coupled with other user data, these logged-in searches can pave the way for targeted advertising, sophisticated predictive analysis, and potential exploitation by governments or malicious entities. In the event of data breaches, the user's logged-in search histories can be exposed. Furthermore, users typically don't have clear insight into how their data is utilized when logged in.

I hope Kagi introduces an anonymous access feature. For instance, it could incorporate zero-knowledge proofs (ZKPs). These are cryptographic techniques where one party (the prover) can confirm to another (the verifier) that a claim is accurate without disclosing any additional information. This is especially beneficial for authentication scenarios where it's essential to avoid sharing extra details.

To implement zero-knowledge authentication for quota API access:

1. Token Creation:

- Each month, users receive a token tied to their identity and quota.

- The token can be split for use on multiple devices using cryptographic methods.

2. API Access:

- Clients present a zero-knowledge proof (ZKP) to confirm they have a valid token and haven't used up their quota. The server verifies this without seeing the exact details.

3. Client Synchronization:

- Each client tracks its quota usage.

- Synchronization can be peer-to-peer or through a centralized, encrypted server to prevent double spending of the quota.

4. Quota Renewal:

- Monthly, old tokens expire, and new tokens are issued.

Challenges:

- ZKPs can be resource-intensive.

- Token security is crucial; there should be a way to handle lost or compromised tokens.

- The system should prevent quota "double-spending" across devices.

- If a centralized server is used for synchronization, it should operate with encrypted data.

This way Kagi would only know who their customers are but not what kind of searches they make.

[freediver]

Kagi already provides a way to search anonymously via a random email address (we do not really verify it or need it for anything) and Bitcoin/Lightning payment [1].

Since you are interested in cryptography, there is a discussion on Kagi feedback site along the same lines as your idea, about possible ways to achieve this without the need for cryptocurrency. [2]

[1] https://blog.kagi.com/accepting-paypal-bitcoin

[2] https://kagifeedback.org/d/653-completely-anonymous-searches...

[netsroht]

Thanks for the links. Using a disposable email with crypto payments and occasionally generating a new account to unlink from previous searches could be a viable intermediate solution.

Also, I found this link [1] in the thread you mentioned. They seem to have implemented something like that.

[1] https://metager.de/keys/help/anonymous-token

[freediver]

Just to make it clear, Kagi does not link searches to an account already, to begin with. Refer to our privacy policy [1]. We simply do not need that data for anything and it would be just a liability for us. Our philosophy is that users should personalize the search feed themselves and this is why we built features like the aiblity to block or promote domains, create search lenses and many more.

However there is no technical way of proving it. So cryptocurrency and cryptography are ways to achieve anonimity from a perspective of a user, regardless of what we are doing.

[1] https://kagi.com/privacy

[boredpudding]

Any system that can check balance, can link searches to a user. There's no way around it. In your case, Kagi would need to trust the client with the balance, which would be insecure.

There's only one solution, and that is that you need to put a bit of trust in Kagi. Compared to the major one, Google, you can chose between one that promises to not store data, and one that promises it does (and does a lot).

It's always a bit sad that here on HN, when companies try to do better than bigger players, there's always people who think it isn't enough. It has to be absolutely impossibly perfect.

[smsm42]

> Any system that can check balance, can link searches to a user.

I don't think it's true. I can immediately see at least two ways how it can be done without identifying the user.

1. Each user gets X tokens at the beginning of the month. When searching, user supplies a token, which is immediately burned. The token does not contain the user identity, just signature validating it's a valid token.

2. Variation of the above: each user gets a token good for X searches at the beginning of the month. When searching, the system will return a token good for N-1 search each time token good for N searches is presented. Again, no need to contain user identity anywhere in the system.

Of course, both solutions have their downsides (sync between multiple devices, stealing tokens, losing tokens, etc.) but it id definitely possible. And I am sure if somebody spent a little time thinking on it, these ideas can be seriously improved to eliminate the downsides without introducing the need to identify the user.

[phil9909]

In both these cases the search engine provider could easily store your identity together with your token while issuing it and recover the identity once the token is used without any way to prove this from the outside. They could even issue tokens in the form AES_ENC("SOME KEY ONLY THEY HAVE", USER_ID | counter) and you would not notice. You would have to trust them that they won't do this, which is no improvement to the current thing Kagi does (saying they won't collect any data, while admitting they can't prove it, you just have to trust them).

[smsm42]

I think there's a fundamental difference between "X can not be implemented" and "can we trust this provider to implement X correctly"? In this case, it can be implemented without violating privacy. But of course you need to trust them to actually implement what they say and not instead put 9000 trackers in each page and track your every movement like certain other big companies do. But these are different things - the comment upstream claimed that the subscription system can not be implemented with privacy. This is not true - it can be. Whether or not a particular provider would implement it, and whether we can trust them that they did - that's a different question, which is also important but does not change the answer to the original one.

[netsroht]

I'm not a cryptography expert, but from my research, shouldn't it be possible to verify quota on ZKPs server-side? Essentially, the server doesn't need to know the specifics of the user's identity, just that they possess a valid token and haven't exceeded their quota.

You can use search engines like Google without being logged in. When combined with tools like uBlock Origin and Cookie AutoDelete, it becomes more challenging for them to build a singular profile about a user, especially one tied to payment methods such as credit cards.

I genuinely appreciate what Kagi is doing, and I'd absolutely be willing to pay for their service, because if you're not paying for a service, you're the product. I trust companies to uphold their privacy promises, but "Trust is good, but proof is better." ;)

[gizmo686]

The issue is implementing it client side. ZKP means that you cannot simply embed a token in the URL, but instead need to participate in an active protocol. You could implement this in JavaScript, but then you need to trust the JS being served from the server.

Even once you do that, you have all the other tracking mechanisms that the server could use if it wanted to.

[KRAKRISMOTT]

They key word is server side. You have no way to verify that they are not tracking sessions as an user.

[yencabulator]

> Any system that can check balance, can link searches to a user.

For what it's worth, you can buy a physical Mullvad gift card and use that to create a very anonymous account for VPN use.

Even if you buy your gift card from a major online retailer, it comes from a stack of gift cards, nothing tracks which one was sent to whom. You can also exchange gifts among friends.

[EA-3167]

I'm not searching for anything terrifyingly illegal, and for the rest Google and MS already scrape and compile every byte of data I've ever generated. Why would it suddenly be a problem when a more reliable and less vicious company is doing a fraction of that?

You have to understand that most of us aren't fighting some battle for "perfect privacy," I just want a search engine that works for me, rather than advertisers, at the level of the search results themselves.

[netsroht]

I get your perspective. A lot of us just want a search engine that serves the user first, not advertisers, especially at the results level. It's about function over strict privacy for many--everyone has their own privacy threshold.

But it's also about digital data autonomy. It's not just about avoiding surveillance over sensitive searches, but having control over our data's destiny. Even mundane data, in aggregate, can sometimes be used in ways we can't predict.

[alwaysbeconsing]

Personally privacy is a strong concern for me; I have many aspects of my digital life set up less conveniently in exchange for privacy.

In this case though we've have on one hand a product that definitely does aggregate data about searches, and doesn't do what I need very well; and the other a product that could, but does not currently aggregate data, and does an excellent job serving my needs.

And importantly there is no option of a product, available now, that is verifiably prevented from aggregation. Even a VPN unless I disconnect and get a new random IP between every individual search does not provide that protection. (And then browser fingerprints even.)

[carlosjobim]

What is counted as "terrifyingly illegal" changes without a moments notice on the whims of your rulers. So even if you're not googling on how to bomb the government, there are hundreds of other subjects and opinions that could in the future make the majority of your neighbours, family and workmates think you deserve to be shunned, fired, in prison, or worse. That is why people want to protect their privacy.

[EA-3167]

Ok, but again Google and a hundred data brokers already scrape every detail of my life no matter what I do. Even if I become a hermit in the woods the existence of my friends and family who don't take those precautions would make my efforts worthless. Meanwhile we're talking about Google/Bing vs. Kagi... not "Super Secret Perfect Privacy Magic" vs Kagi.

So while I understand your overall concern, that ship has sailed for search engines and the internet. We're living in a world full of networked cameras that people voluntarily and happily install, of people broadcasting their lives 24/7. The idea of perfect privacy is getting downright mystical/religious.

[carlosjobim]

Sure, and for what it's worth I trust Kagi. But I can understand those who are more strict with their privacy.

In the end I think we have to accept in some way that everything we say, write and do is subject to surveillance, and that the government might want to kill you for any reason that you'd have no chance of preventing.

[andrewinardeer]

> Being logged in while making search queries in search engines poses significant privacy risks. The searches can paint a comprehensive profile of the user, and these data often remain stored for extended periods. There's a chance this information might be shared with third parties. Coupled with other user data, these logged-in searches can pave the way for targeted advertising, sophisticated predictive analysis, and potential exploitation by governments or malicious entities. In the event of data breaches, the user's logged-in search histories can be exposed. Furthermore, users typically don't have clear insight into how their data is utilized when logged in.

This reads and smells like ChatGPT / AI.

[idonotknowwhy]

Was thinking the same thing. Not even gpt4

[SkyPuncher]

I’ve gotten tired of these boogey man arguments.

There are sooooo many other ways to fingerprint than an account.

Oh look, this MacBook with X by Y resolution from this IP address has had 100 searches for the past 2 hours. Oh no! He switched to incognito.